** Changed in: mahara/1.9 Status: Fix Committed => Fix Released ** Information type changed from Private Security to Public Security
-- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1363873 Title: Session Management Issue- Session is not invalidating after password change Status in Mahara ePortfolio: Fix Committed Status in Mahara 1.10 series: Fix Released Status in Mahara 1.8 series: Fix Released Status in Mahara 1.9 series: Fix Released Status in Mahara 15.04 series: Fix Committed Bug description: Hi Security Team, I have discovered the session management issue on the domain https://mahara.org/ Description of the issue- The application does not invalidate the previous session once the password is changed by the legitimate user. How to reproduce?- 1. Login in the application using https://mahara.org/ and login into the application. 2. Lets assume application user's account is compromised so he wants to change his password, he will navigate to forgot password page and will change his password. 3. Application user is able to change his password but it was observed that still the previous session was not invalidated and i was actually able to browse the application from both the sessions. Impact- If the application user's account is compromised, he will simply change his password but if the previous session is not invalidated there is no use of changing the password. Please let me know if you need video PoC for this. Remediation- Invalidate the previous session once the password has been changed and enforce the application user to relogin in the application. Thanks and Regards, Abhishek Dashora To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1363873/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp